Word from the herd

Word from the herd

US Government memo supporting open source software: secure enough for you?

Why You Should Protect Your Open Source Website

As advocates for open source software (OSS), we often get asked whether open source content management systems (CMS) are as secure as proprietary systems. This debate will probably rumble on for time eternal, but here are a few thoughts on how you can keep your website safe in the meantime.

The main characteristic of open source software is that it is available in source code form and freely available for anybody to download, modify and distribute. Examples of open source projects include Linux operating system, the Android mobile platform and, of course, CMSs such as WordPress and Drupal.

This is great from a development point of view, and we find that it provides an extremely cost effective way of delivering websites and web applications to our clients. But there is a commonly held perception that the open source nature of CMSs such as Wordpress or Drupal somehow makes them more susceptible to security threats, as the malicious hacker out there can easily spot any security holes and worm his or her way in.

This makes sense, you might think, but what isn't taken into consideration here is the community nature of open source projects. While it is true that the code is open, it is also significant that that code is being continually reviewed and improved by hundreds, often thousands, of developers.

As far back as 2009, the US Department of Defence recognised the security benefits of open source software, and issued a memorandum to encourage the greater uptake of OSS in its IT systems. In the memo, the Assistant Secretary of Defence, Dave Wennegren, lists the benefits of OSS, and states that “The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”

For this reason, security updates are frequently released and should be applied as soon as possible. This is something we have to do regularly at Herd, and fortunately there are a number of handy tools available to help with this process. For those of you who are minded to roll your sleeves up and have a go yourselves, here's an overview of the process.

The process

Both WordPress and Drupal 7 now enable updates to be applied through the administration interface if FTP access is available. Another method that has become popular amongst Drupal developers is to run some simple Drush commands to get these updates applied. If neither of these options is available you can simply download the new version of the code and apply the updates manually.

Of course, whenever you're making code updates to your website, they need to be fully tested. At Herd we always make a complete clone of a website and test the updates on this first to ensure the updates don't cause any adverse affects to your live website: we need to be sure the updates haven't stopped something from working correctly or being altered visually in any way, and this isn't always as straightforward as it might initially appear.

After testing that the updates don't cause any problems, we take a backup of the updated site, and then deploy the code to the live environment.

This process can appear quite involved, however it is something that is strongly recommended by industry experts: nobody wants their website to be brought down by a security attack, and the time involved to rectify this scenario would be significantly greater than the time it takes to keep on top of security updates.

So, having code available to view by anybody is not necessarily a bad thing as it often means that any security holes are closed quickly. The large community of open source developers can help identify any potential risks quickly, and as long as updates are applied regularly to your website, you can be confident of it being secure.

Further information

If you're keen to have a go at upgrading your site, here are the Drupal and WordPress guides to site upgrades to help you get started. If you would like help with upgrading your website, please email us at support@herdcomms.com and we'd be happy to talk.